[RFC][PATCH] audit: log join and part events to the read-only multicast log socket
by Richard Guy Briggs
Log the event when a client attempts to connect to the netlink audit multicast
socket, requiring CAP_AUDIT_READ capability, binding to the AUDIT_NLGRP_READLOG
group. Log the disconnect too.
Sample output:
time->Tue Oct 7 14:15:19 2014
type=UNKNOWN[1348] msg=audit(1412705719.316:117): auid=0 uid=0 gid=0 ses=1 pid=3552 comm="audit-multicast" exe="/home/rgb/rgb/git/audit-multicast-listen/audit-multicast-listen" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 group=0 op=connect res=1
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
For some reason unbind isn't being called on disconnect. I suspect missing
plumbing in netlink. Investigation needed...
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 46 ++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4d100c8..7fa6e8f 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
#define AUDIT_SECCOMP 1326 /* Secure Computing event */
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
+#define AUDIT_EVENT_LISTENER 1348 /* task joined multicast read socket */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 53bb39b..74c81a7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1108,13 +1108,54 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+static void audit_log_bind(int group, char *op, int err)
+{
+ struct audit_buffer *ab;
+ char comm[sizeof(current->comm)];
+ struct mm_struct *mm = current->mm;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ audit_log_format(ab, "auid=%d",
+ from_kuid(&init_user_ns, audit_get_loginuid(current)));
+ audit_log_format(ab, " uid=%d",
+ from_kuid(&init_user_ns, current_uid()));
+ audit_log_format(ab, " gid=%d",
+ from_kgid(&init_user_ns, current_gid()));
+ audit_log_format(ab, " ses=%d", audit_get_sessionid(current));
+ audit_log_format(ab, " pid=%d", task_pid_nr(current));
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
+ if (mm) {
+ down_read(&mm->mmap_sem);
+ if (mm->exe_file)
+ audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
+ up_read(&mm->mmap_sem);
+ } else
+ audit_log_format(ab, " exe=(null)");
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " group=%d", group);
+ audit_log_format(ab, " op=%s", op);
+ audit_log_format(ab, " res=%d", !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests. */
static int audit_bind(int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_bind(group, "connect", err);
+ return err;
+}
- return 0;
+static void audit_unbind(int group)
+{
+ audit_log_bind(group, "disconnect", 0);
}
static int __net_init audit_net_init(struct net *net)
@@ -1124,6 +1165,7 @@ static int __net_init audit_net_init(struct net *net)
.bind = audit_bind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
+ .unbind = audit_unbind,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
--
1.7.1
10 years
[PATCH V5 0/5] audit by executable name
by Richard Guy Briggs
This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
Please see the accompanying userspace patch:
https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
The userspace interface is not expected to change appreciably unless something
important has been overlooked. Setting and deleting rules works as expected.
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.
Here's a sample run:
# /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Mon Jun 30 14:15:06 2014
type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1 subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add_rule" key="touch_tmp" list=4 res =1
# /usr/local/sbin/auditctl -l
-a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# touch /tmp/test
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Wed Jul 2 12:18:47 2014
type=UNKNOWN[1327] msg=audit(1404317927.319:132): proctitle=746F756368002F746D702F74657374
type=PATH msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997 dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1404317927.319:132): cwd="/root"
type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2 ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="touch_tmp"
Revision history:
v5: Revert patch "Let audit_free_rule() take care of calling
audit_remove_mark()." since it caused a group mark deadlock.
v4: Re-order and squash down fixups
Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark().
v3: Rationalize and rename some function names and clean up get/put and free code.
Rename several "watch" references to "mark".
Rename audit_remove_rule() to audit_remove_mark_rule().
Let audit_free_rule() take care of calling audit_remove_mark().
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Move the access to the entry for audit_match_signal() to the beginning
of the function in case the entry found is the same one passed in.
This will enable it to be used by audit_remove_mark_rule().
https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
v2: Misguided attempt to add in audit_exe similar to watches
https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
v1.5: eparis' switch to fsnotify
https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
v1: Change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
Next step:
Get full-path notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy Briggs (2):
audit: avoid double copying the audit_exe path string
Revert "fixup! audit: clean simple fsnotify implementation"
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile | 2 +-
kernel/audit.h | 39 +++++++
kernel/audit_exe.c | 49 +++++++++
kernel/audit_fsnotify.c | 237 ++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 52 +++++++++-
kernel/auditsc.c | 16 +++
8 files changed, 395 insertions(+), 3 deletions(-)
create mode 100644 kernel/audit_exe.c
create mode 100644 kernel/audit_fsnotify.c
10 years
auditd at a 32 bit Gentoo Linux x86 system won't work any longer with 3.18-rc2
by Toralf Förster
Versin 2.2.2 is fine with kernel 3.17, but with c3.18-rc2 I do have an issue.
As soon as auditd is started, I do get within the KVM an
"INIT: Id "c1! respawning too fast: disabled for 5 minutes" when I try to login into the KVM as root.
Furthermore as an previously logged in user I can run any command w/o getting any feedback, meaning "ls", "halt" , "reboot" does nothing, the prompt just returns immediately and that's all.
--
Toralf
pgp key: 0076 E94E
10 years
[PATCH][STABLE] audit: correct AUDIT_GET_FEATURE return message type
by Richard Guy Briggs
When an AUDIT_GET_FEATURE message is sent from userspace to the kernel, it
should reply with a message tagged as an AUDIT_GET_FEATURE type with a struct
audit_feature. The current reply is a message tagged as an AUDIT_GET
type with a struct audit_feature.
This appears to have been a cut-and-paste-eo in commit b0fed40.
Reported-by: Steve Grubb <sgrubb(a)redhat.com>
Cc: stable(a)vger.kernel.org # v3.13-rc1
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index d20f00f..3a80abb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -724,7 +724,7 @@ static int audit_get_feature(struct sk_buff *skb)
seq = nlmsg_hdr(skb)->nlmsg_seq;
- audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af));
+ audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af));
return 0;
}
--
1.7.1
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
10 years
audit 2.4.1 released
by Steve Grubb
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Make python3 support easier
- Add support for ppc64le (Tony Jones)
- Add some translations for a1 of ioctl system calls
- Add command & virtualization reports to aureport
- Update aureport config report for new events
- Add account modification summary report to aureport
- Add GRP_MGMT and GRP_CHAUTHTOK event types
- Correct aureport account change reports
- Add integrity event report to aureport
- Add config change summary report to aureport
- Adjust some syslogging level settings in audispd
- Improve parsing performance in everything
- When ausearch outputs a line, use the previously parsed values (Burn Alting)
- Improve searching and interpreting groups in events
- Fully interpret the proctitle field in auparse
- Correct libaudit and auditctl support for kernel features
- Add support for backlog_time_wait setting via auditctl
- Update syscall tables for the 3.18 kernel
- Ignore DNS failure for email validation in auditd (#1138674)
- Allow rotate as action for space_left and disk_full in auditd.conf
- Correct login summary report of aureport
- Auditctl syscalls can be comma separated list now
- Update rules for new subsystems and capabilities
This is a large set of features and bug fixes. There are new reports, updates
for new kernels, updates for a new platform, improvements to translations, and
searching speed has been improved.
One new feature is that "rotate" can be set as an action for space_left,
admin_space_left, or disk_full states. A typical use for this might be that
you want as much stored in the logging partition as possible. When you hit a
threshold, then it frees up space by rotating the logs.
Another change in this release is that now syscalls can be given as a comma
separated list. By way of example, in the old stig rules, you have this:
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr
now is can be:
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,
lremovexattr,fremovexattr
All example rules were swicthed over to use this new representation. The
upshot of this is that with the 2.4.1 release, you can now use
auditctl -l > audit.in-kernel
diff -u /etc/audit/audit.rules audit.in-kernel
to see the difference between what's expected to be in place and what actually
in place. One thing to note, auditctl outputs the syscalls from lowest number
to highest. This means that you may need to use ausyscall occasionally to help
figure out the order when switching over to this. Or, you can just use the
auditctl listing to set the order.
Please let me know if you run across any problems with this release.
-Steve
10 years
[PATCH] i386/audit: stop scribbling on the stack frame
by Richard Guy Briggs
git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very very dumb.
It was writing over %esp/pt_regs semi-randomly on i686 with the expected
"system can't boot" results. As noted in:
https://bugs.freedesktop.org/show_bug.cgi?id=85277
This patch stops fscking with pt_regs. Instead it sets up the registers
for the call to __audit_syscall_entry in the most obvious conceivable
way. It then does just a tiny tiny touch of magic. We need to get what
started in PT_EDX into 0(%esp) and PT_ESI into 4(%esp). This is as easy
as a pair of pushes using the values still in those registers.
After the call to __audit_syscall_entry all we need to do is get that
now useless junk off the stack (pair of pops) and reload %eax with the
original syscall so other stuff can keep going about it's business.
Reported-by: Paulo Zanoni <przanoni(a)gmail.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: "H. Peter Anvin" <hpa(a)zytor.com>
Cc: x86(a)kernel.org
Cc: linux-kernel(a)vger.kernel.org
Cc: linux-audit(a)redhat.com
---
On 14/10/25, Thomas Gleixner wrote:
> Why are we grabbing that from the stack? AFAICT all arguments are in
> the registers still.
Right, re-arranging the instructions slightly to avoid overwriting %edx
with %ebx before needing it to push onto the stack, how does this look?
arch/x86/kernel/entry_32.S | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index b553ed8..344b63f 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -447,15 +447,14 @@ sysenter_exit:
sysenter_audit:
testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
jnz syscall_trace_entry
- addl $4,%esp
- CFI_ADJUST_CFA_OFFSET -4
- movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
- movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
- /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
- movl %ebx,%edx /* 2nd arg: 1st syscall arg */
- /* %eax already in %eax 1st arg: syscall number */
+ /* movl PT_ECX(%esp), %ecx already set, a1: 3nd arg to audit */
+ /* movl PT_EAX(%esp), %eax already set, syscall number: 1st arg to audit */
+ pushl_cfi %esi /* a3: 5th arg */
+ pushl_cfi %edx /* a2: 4th arg */
+ movl %ebx, %edx /* ebx/a0: 2nd arg to audit */
call __audit_syscall_entry
- pushl_cfi %ebx
+ popl_cfi %ecx /* get that remapped edx off the stack */
+ popl_cfi %ecx /* get that remapped esi off the stack */
movl PT_EAX(%esp),%eax /* reload syscall number */
jmp sysenter_do_call
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
10 years
gentoo auditd not logging?
by Marko Weber | 8000
Hello List,
i installed audit on a gentoo box.
in the auditd.log it shows logins via ssh:
type=LOGIN msg=audit(1413987302.466:14): pid=27091 uid=0
old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1
but in the logs i cant see failed logins.
my config for testing looks like this:
# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D
# Feel free to add below this line. See auditctl man page
-a exclude,always -F msgtype=NETFILTER_CFG
-w /sbin/insmod -p x -k module_insertion
-w /etc/passwd -p wa -k passwd_changes
-w /var/log/auth.log -p wa -k logins
-w /etc/ssh/sshd_config -p warx -k sshd_config
# The following rule would cause all of the syscalls listed to be
ignored in logging.
#-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S
brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S
stat
#-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S
brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S
stat
# The following rule would cause the capture of all systems not caught
above.
# -a exit,always -S all
# Increase the buffers to survive stress events
-b 8192
# lock the audit configuration to prevent any modification of this file.
-e 2
in auditd.log i cant see anything when i do cat on sshd_config or when
open sshd_config in vim and save it.
Nothing shown in the log.
do i missed something?
best regards
marko
--
zbfmail - Mittendrin statt nur Datei!
OpenDKIM, SPF, DSPAM, Greylisting, POSTSCREEN, AMAVIS, Mailgateways
Mailfiltering, SMTP Service, Spam Abwehr, MX-Backup, Mailserver Backup
Redundante Mailgateways, HA Mailserver, Secure Mailserver
10 years
[PATCH] i386/audit: stop scribbling on the stack frame
by Eric Paris
git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very very dumb.
It was writing over %esp/pt_regs semi-randomly on i686 with the expected
"system can't boot" results. As noted in:
https://bugs.freedesktop.org/show_bug.cgi?id=85277
This patch stops fscking with pt_regs. Instead it sets up the registers
for the call to __audit_syscall_entry in the most obvious conceivable
way. It then does just a tiny tiny touch of magic. We need to get what
started in PT_EDX into 0(%esp) and PT_ESI into 4(%esp). This is as easy
as a pair of pushes.
After the call to __audit_syscall_entry all we need to do is get that
now useless junk off the stack (pair of pops) and reload %eax with the
original syscall so other stuff can keep going about it's business.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: "H. Peter Anvin" <hpa(a)zytor.com>
Cc: x86(a)kernel.org
Cc: linux-kernel(a)vger.kernel.org
Cc: linux-audit(a)redhat.com
---
arch/x86/kernel/entry_32.S | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index f9e3fab..fb01d22 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -447,15 +447,14 @@ sysenter_exit:
sysenter_audit:
testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
jnz syscall_trace_entry
- addl $4,%esp
- CFI_ADJUST_CFA_OFFSET -4
- movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
- movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
- /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
- movl %ebx,%edx /* 2nd arg: 1st syscall arg */
- /* %eax already in %eax 1st arg: syscall number */
+ /* movl PT_EAX(%esp), %eax already set, syscall number: 1st arg to audit */
+ movl PT_EBX(%esp), %edx /* ebx/a0: 2nd arg to audit */
+ /* movl PT_ECX(%esp), %ecx already set, a1: 3nd arg to audit */
+ pushl_cfi PT_ESI(%esp) /* a3: 5th arg */
+ pushl_cfi PT_EDX+4(%esp) /* a2: 4th arg */
call __audit_syscall_entry
- pushl_cfi %ebx
+ popl_cfi %ecx /* get that remapped edx off the stack */
+ popl_cfi %ecx /* get that remapped esi off the stack */
movl PT_EAX(%esp),%eax /* reload syscall number */
jmp sysenter_do_call
--
1.9.3
10 years
Re: Linux-audit Digest, Vol 121, Issue 17
by Ali Alavi
unsubscribe
On Tue, Oct 21, 2014 at 7:30 PM, <linux-audit-request(a)redhat.com> wrote:
> Send Linux-audit mailing list submissions to
> linux-audit(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/linux-audit
> or, via email, send a message with subject or body 'help' to
> linux-audit-request(a)redhat.com
>
> You can reach the person managing the list at
> linux-audit-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Linux-audit digest..."
>
>
> Today's Topics:
>
> 1. [PATCH] audit: add Paul Moore to the MAINTAINERS entry
> (Paul Moore)
> 2. Re: [PATCH V5 0/5] audit by executable name (Steve Grubb)
> 3. Re: [PATCH V5 0/5] audit by executable name (Eric Paris)
> 4. Re: [PATCH V5 0/5] audit by executable name (Paul Moore)
> 5. Re: [PATCH V5 0/5] audit by executable name (Steve Grubb)
> 6. Re: [PATCH V5 0/5] audit by executable name (Steve Grubb)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 20 Oct 2014 12:23:28 -0400
> From: Paul Moore <pmoore(a)redhat.com>
> To: linux-audit(a)redhat.com, linux-kernel(a)vger.kernel.org,
> eparis(a)redhat.com
> Subject: [PATCH] audit: add Paul Moore to the MAINTAINERS entry
> Message-ID: <20141020162328.1159.33576.stgit@localhost>
> Content-Type: text/plain; charset="utf-8"
>
> After a long stint maintaining the audit tree, Eric asked me to step
> in and handle the day-to-day management of the audit tree. We should
> also update the linux-audit mailing list entry to better reflect
> current usage.
>
> Signed-off-by: Paul Moore <pmoore(a)redhat.com>
> ---
> MAINTAINERS | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index c2066f4..86c24fd 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -1689,10 +1689,11 @@ S: Supported
> F: drivers/scsi/esas2r
>
> AUDIT SUBSYSTEM
> +M: Paul Moore <paul(a)paul-moore.com>
> M: Eric Paris <eparis(a)redhat.com>
> -L: linux-audit(a)redhat.com (subscribers-only)
> +L: linux-audit(a)redhat.com (moderated for non-subscribers)
> W: http://people.redhat.com/sgrubb/audit/
> -T: git git://git.infradead.org/users/eparis/audit.git
> +T: git git://git.infradead.org/users/pcmoore/audit
> S: Maintained
> F: include/linux/audit.h
> F: include/uapi/linux/audit.h
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 20 Oct 2014 16:25:13 -0400
> From: Steve Grubb <sgrubb(a)redhat.com>
> To: Richard Guy Briggs <rgb(a)redhat.com>
> Cc: linux-audit(a)redhat.com, linux-kernel(a)vger.kernel.org
> Subject: Re: [PATCH V5 0/5] audit by executable name
> Message-ID: <2527124.XNMpLdSfeq@x2>
> Content-Type: text/plain; charset="us-ascii"
>
> On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > This is a part of Peter Moody, my and Eric Paris' work to implement
> > audit by executable name.
>
> Does this patch set define an AUDIT_VERSION_SOMETHING and then set
> AUDIT_VERSION_LATEST to it? If not, I need one to tell if the kernel
> supports
> it when issuing commands. Also, if its conceivable that kernels may pick
> and
> choose what features could be backported to a curated kernel, should
> AUDIT_VERSION_ be a number that is incremented or a bit mask?
>
> -Steve
>
>
> > Please see the accompanying userspace patch:
> > https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
> > The userspace interface is not expected to change appreciably unless
> > something important has been overlooked. Setting and deleting rules
> works
> > as expected.
> >
> > If the path does not exist at rule creation time, it will be re-evaluated
> > every time there is a change to the parent directory at which point the
> > change in device and inode will be noted.
> >
> >
> > Here's a sample run:
> >
> > # /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch
> -F
> > key=touch_tmp # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > time->Mon Jun 30 14:15:06 2014
> > type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1
> > subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add_rule"
> > key="touch_tmp" list=4 res =1
> >
> > # /usr/local/sbin/auditctl -l
> > -a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
> >
> > # touch /tmp/test
> >
> > # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > time->Wed Jul 2 12:18:47 2014
> > type=UNKNOWN[1327] msg=audit(1404317927.319:132):
> > proctitle=746F756368002F746D702F74657374 type=PATH
> > msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997
> > dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00
> > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> > msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20
> > mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> > nametype=PARENT type=CWD msg=audit(1404317927.319:132): cwd="/root"
> > type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2
> > success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2
> > ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key="touch_tmp"
> >
> >
> > Revision history:
> > v5: Revert patch "Let audit_free_rule() take care of calling
> > audit_remove_mark()." since it caused a group mark deadlock.
> >
> > v4: Re-order and squash down fixups
> > Fix audit_dup_exe() to copy pathname string before calling
> > audit_alloc_mark().
> >
> > v3: Rationalize and rename some function names and clean up get/put and
> free
> > code. Rename several "watch" references to "mark".
> > Rename audit_remove_rule() to audit_remove_mark_rule().
> > Let audit_free_rule() take care of calling audit_remove_mark().
> > Put audit_alloc_mark() arguments in same order as watch, tree and
> inode.
> > Move the access to the entry for audit_match_signal() to the beginning of
> > the function in case the entry found is the same one passed in. This will
> > enable it to be used by audit_remove_mark_rule().
> > https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
> >
> > v2: Misguided attempt to add in audit_exe similar to watches
> > https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
> >
> > v1.5: eparis' switch to fsnotify
> > https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> > https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
> >
> > v1: Change to path interface instead of inode
> > https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
> >
> > v0: Peter Moodie's original patches
> >
> https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
> >
> >
> > Next step:
> > Get full-path notify working.
> >
> >
> > Eric Paris (3):
> > audit: implement audit by executable
> > audit: clean simple fsnotify implementation
> > audit: convert audit_exe to audit_fsnotify
> >
> > Richard Guy Briggs (2):
> > audit: avoid double copying the audit_exe path string
> > Revert "fixup! audit: clean simple fsnotify implementation"
> >
> > include/linux/audit.h | 1 +
> > include/uapi/linux/audit.h | 2 +
> > kernel/Makefile | 2 +-
> > kernel/audit.h | 39 +++++++
> > kernel/audit_exe.c | 49 +++++++++
> > kernel/audit_fsnotify.c | 237
> > ++++++++++++++++++++++++++++++++++++++++++++ kernel/auditfilter.c |
> > 52 +++++++++-
> > kernel/auditsc.c | 16 +++
> > 8 files changed, 395 insertions(+), 3 deletions(-)
> > create mode 100644 kernel/audit_exe.c
> > create mode 100644 kernel/audit_fsnotify.c
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 20 Oct 2014 18:47:27 -0400
> From: Eric Paris <eparis(a)redhat.com>
> To: Steve Grubb <sgrubb(a)redhat.com>
> Cc: Richard Guy Briggs <rgb(a)redhat.com>, linux-audit(a)redhat.com,
> linux-kernel(a)vger.kernel.org
> Subject: Re: [PATCH V5 0/5] audit by executable name
> Message-ID: <1413845247.30946.49.camel@localhost>
> Content-Type: text/plain; charset="UTF-8"
>
> On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
> > On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > audit by executable name.
> >
> > Does this patch set define an AUDIT_VERSION_SOMETHING and then set
> > AUDIT_VERSION_LATEST to it? If not, I need one to tell if the kernel
> supports
> > it when issuing commands. Also, if its conceivable that kernels may pick
> and
> > choose what features could be backported to a curated kernel, should
> > AUDIT_VERSION_ be a number that is incremented or a bit mask?
>
> Right now the value is 2. So this is your last hope if you want to make
> it a bitmask. I'll leave that up to paul/richard to (over) design.
>
> Support for by EXEC should probably be noted somehow. Especially since
> audit_netlink_ok() sucks and return EINVAL for unknown message types. We
> wouldn't need the bump to version if that returned EOPNOTSUP and
> userspace could actually tell what was going on...
>
> >
> > -Steve
> >
> >
> > > Please see the accompanying userspace patch:
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
> > > The userspace interface is not expected to change appreciably unless
> > > something important has been overlooked. Setting and deleting rules
> works
> > > as expected.
> > >
> > > If the path does not exist at rule creation time, it will be
> re-evaluated
> > > every time there is a change to the parent directory at which point the
> > > change in device and inode will be noted.
> > >
> > >
> > > Here's a sample run:
> > >
> > > # /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F
> exe=/bin/touch -F
> > > key=touch_tmp # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > > time->Mon Jun 30 14:15:06 2014
> > > type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1
> > > subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add_rule"
> > > key="touch_tmp" list=4 res =1
> > >
> > > # /usr/local/sbin/auditctl -l
> > > -a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
> > >
> > > # touch /tmp/test
> > >
> > > # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > > time->Wed Jul 2 12:18:47 2014
> > > type=UNKNOWN[1327] msg=audit(1404317927.319:132):
> > > proctitle=746F756368002F746D702F74657374 type=PATH
> > > msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997
> > > dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00
> > > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> > > msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144
> dev=00:20
> > > mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> > > nametype=PARENT type=CWD msg=audit(1404317927.319:132): cwd="/root"
> > > type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2
> > > success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2
> > > ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0
> > > fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key="touch_tmp"
> > >
> > >
> > > Revision history:
> > > v5: Revert patch "Let audit_free_rule() take care of calling
> > > audit_remove_mark()." since it caused a group mark deadlock.
> > >
> > > v4: Re-order and squash down fixups
> > > Fix audit_dup_exe() to copy pathname string before calling
> > > audit_alloc_mark().
> > >
> > > v3: Rationalize and rename some function names and clean up get/put
> and free
> > > code. Rename several "watch" references to "mark".
> > > Rename audit_remove_rule() to audit_remove_mark_rule().
> > > Let audit_free_rule() take care of calling audit_remove_mark().
> > > Put audit_alloc_mark() arguments in same order as watch, tree and
> inode.
> > > Move the access to the entry for audit_match_signal() to the beginning
> of
> > > the function in case the entry found is the same one passed in. This
> will
> > > enable it to be used by audit_remove_mark_rule().
> > >
> https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
> > >
> > > v2: Misguided attempt to add in audit_exe similar to watches
> > >
> https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
> > >
> > > v1.5: eparis' switch to fsnotify
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
> > >
> > > v1: Change to path interface instead of inode
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
> > >
> > > v0: Peter Moodie's original patches
> > >
> https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
> > >
> > >
> > > Next step:
> > > Get full-path notify working.
> > >
> > >
> > > Eric Paris (3):
> > > audit: implement audit by executable
> > > audit: clean simple fsnotify implementation
> > > audit: convert audit_exe to audit_fsnotify
> > >
> > > Richard Guy Briggs (2):
> > > audit: avoid double copying the audit_exe path string
> > > Revert "fixup! audit: clean simple fsnotify implementation"
> > >
> > > include/linux/audit.h | 1 +
> > > include/uapi/linux/audit.h | 2 +
> > > kernel/Makefile | 2 +-
> > > kernel/audit.h | 39 +++++++
> > > kernel/audit_exe.c | 49 +++++++++
> > > kernel/audit_fsnotify.c | 237
> > > ++++++++++++++++++++++++++++++++++++++++++++ kernel/auditfilter.c
> |
> > > 52 +++++++++-
> > > kernel/auditsc.c | 16 +++
> > > 8 files changed, 395 insertions(+), 3 deletions(-)
> > > create mode 100644 kernel/audit_exe.c
> > > create mode 100644 kernel/audit_fsnotify.c
> >
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 20 Oct 2014 19:02:33 -0400
> From: Paul Moore <pmoore(a)redhat.com>
> To: Eric Paris <eparis(a)redhat.com>, Steve Grubb <sgrubb(a)redhat.com>,
> Richard Guy Briggs <rgb(a)redhat.com>
> Cc: linux-audit(a)redhat.com, linux-kernel(a)vger.kernel.org
> Subject: Re: [PATCH V5 0/5] audit by executable name
> Message-ID: <2652562.S2IH3gqS0u@sifl>
> Content-Type: text/plain; charset="us-ascii"
>
> On Monday, October 20, 2014 06:47:27 PM Eric Paris wrote:
> > On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
> > > On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > > audit by executable name.
> > >
> > > Does this patch set define an AUDIT_VERSION_SOMETHING and then set
> > > AUDIT_VERSION_LATEST to it? If not, I need one to tell if the kernel
> > > supports it when issuing commands. Also, if its conceivable that
> kernels
> > > may pick and choose what features could be backported to a curated
> > > kernel, should AUDIT_VERSION_ be a number that is incremented or a bit
> > > mask?
> >
> > Right now the value is 2. So this is your last hope if you want to make
> > it a bitmask. I'll leave that up to paul/richard to (over) design.
>
> Audit is nothing if not over-designed. I want to make sure we're
> consistent
> with the previous design methodologies ;)
>
> I've been thinking about this for about the past half-hour while I've been
> going through some other mail and I'm not really enthused about using the
> version number to encode capabilities. What sort of problems would we
> have if
> we introduced a new audit netlink command to query the kernel for audit
> capabilities?
>
> --
> paul moore
> security and virtualization @ redhat
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 20 Oct 2014 19:33:39 -0400
> From: Steve Grubb <sgrubb(a)redhat.com>
> To: Paul Moore <pmoore(a)redhat.com>
> Cc: Richard Guy Briggs <rgb(a)redhat.com>, linux-audit(a)redhat.com,
> linux-kernel(a)vger.kernel.org
> Subject: Re: [PATCH V5 0/5] audit by executable name
> Message-ID: <4185398.VpQETdPFDe@x2>
> Content-Type: text/plain; charset="us-ascii"
>
> On Monday, October 20, 2014 07:02:33 PM Paul Moore wrote:
> > On Monday, October 20, 2014 06:47:27 PM Eric Paris wrote:
> > > On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
> > > > On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > > > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > > > audit by executable name.
> > > >
> > > > Does this patch set define an AUDIT_VERSION_SOMETHING and then set
> > > > AUDIT_VERSION_LATEST to it? If not, I need one to tell if the kernel
> > > > supports it when issuing commands. Also, if its conceivable that
> kernels
> > > > may pick and choose what features could be backported to a curated
> > > > kernel, should AUDIT_VERSION_ be a number that is incremented or a
> bit
> > > > mask?
> > >
> > > Right now the value is 2. So this is your last hope if you want to make
> > > it a bitmask. I'll leave that up to paul/richard to (over) design.
> >
> > Audit is nothing if not over-designed. I want to make sure we're
> consistent
> > with the previous design methodologies ;)
> >
> > I've been thinking about this for about the past half-hour while I've
> been
> > going through some other mail and I'm not really enthused about using the
> > version number to encode capabilities. What sort of problems would we
> have
> > if we introduced a new audit netlink command to query the kernel for
> audit
> > capabilities?
>
> I thought that is what we were getting in this patch:
> https://www.redhat.com/archives/linux-audit/2014-January/msg00054.html
>
> As I understood it, I send an AUDIT_GET command on netlink and then look in
> status.version to see what we have. I really think that in the mainline
> kernel, there will be a steady increment of capabilities. However, for
> distributions, they may want to pick and choose which capabilities to
> backport
> to their shipping kernel. Meaning in practice, a bitmap may be better to
> allow
> cherry picking capabilities and user space being able to make informed
> decisions.
>
> I really don't mind if this is done by a new netlink command (but if we do,
> what happens to status.version?) or if we just keep going with
> status.version.
> Just tell me which it is.
>
> -Steve
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 20 Oct 2014 19:49:12 -0400
> From: Steve Grubb <sgrubb(a)redhat.com>
> To: linux-audit(a)redhat.com
> Cc: Richard Guy Briggs <rgb(a)redhat.com>, linux-kernel(a)vger.kernel.org
> Subject: Re: [PATCH V5 0/5] audit by executable name
> Message-ID: <13863680.WTabxyvHIP@x2>
> Content-Type: text/plain; charset="us-ascii"
>
> On Monday, October 20, 2014 07:33:39 PM Steve Grubb wrote:
> > On Monday, October 20, 2014 07:02:33 PM Paul Moore wrote:
> > > On Monday, October 20, 2014 06:47:27 PM Eric Paris wrote:
> > > > On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
> > > > > On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > > > > > This is a part of Peter Moody, my and Eric Paris' work to
> implement
> > > > > > audit by executable name.
> > > > >
> > > > > Does this patch set define an AUDIT_VERSION_SOMETHING and then set
> > > > > AUDIT_VERSION_LATEST to it? If not, I need one to tell if the
> kernel
> > > > > supports it when issuing commands. Also, if its conceivable that
> > > > > kernels
> > > > > may pick and choose what features could be backported to a curated
> > > > > kernel, should AUDIT_VERSION_ be a number that is incremented or a
> bit
> > > > > mask?
> > > >
> > > > Right now the value is 2. So this is your last hope if you want to
> make
> > > > it a bitmask. I'll leave that up to paul/richard to (over) design.
> > >
> > > Audit is nothing if not over-designed. I want to make sure we're
> > > consistent with the previous design methodologies ;)
> > >
> > > I've been thinking about this for about the past half-hour while I've
> been
> > > going through some other mail and I'm not really enthused about using
> the
> > > version number to encode capabilities. What sort of problems would we
> > > have
> > > if we introduced a new audit netlink command to query the kernel for
> audit
> > > capabilities?
> >
> > I thought that is what we were getting in this patch:
> > https://www.redhat.com/archives/linux-audit/2014-January/msg00054.html
> >
> > As I understood it, I send an AUDIT_GET command on netlink and then look
> in
> > status.version to see what we have. I really think that in the mainline
> > kernel, there will be a steady increment of capabilities. However, for
> > distributions, they may want to pick and choose which capabilities to
> > backport to their shipping kernel. Meaning in practice, a bitmap may be
> > better to allow cherry picking capabilities and user space being able to
> > make informed decisions.
> >
> > I really don't mind if this is done by a new netlink command (but if we
> do,
> > what happens to status.version?) or if we just keep going with
> > status.version. Just tell me which it is.
>
> Further to the point of status.version, its declared as a __u32. So if it
> were
> a bit map, we can have 32 different features userspace needs to make
> support
> decisions on. I have a feeling that will last many years because I really
> can't see audit gaining too many more capabilities.
>
> -Steve
>
>
>
> ------------------------------
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
> End of Linux-audit Digest, Vol 121, Issue 17
> ********************************************
>
10 years
Regression: audit: x86: drop arch from __audit_syscall_entry() interface
by Paulo Zanoni
Hi
(Cc'ing everybody mentioned in the original patch)
I work for Intel, on our Linux Graphics driver - aka i915.ko - and our
QA team recently reported a regression on:
commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a
Author: Richard Guy Briggs
Date: Tue Mar 4 10:38:06 2014 -0500
audit: x86: drop arch from __audit_syscall_entry() interface
According to our QA, their i386 machine doesn't boot anymore. I tried
to write my own revert for the patch, asked QA to test, and they
confirmed it "solves" the problem.
Here are the details of QA' s bug report:
https://bugs.freedesktop.org/show_bug.cgi?id=85277 .
The trees our QA tests are the development trees from i915.ko:
http://cgit.freedesktop.org/drm-intel?h=drm-intel-fixes .
I tried searching for other bug reports on the same patch, but
couldn't find any. Forgive me if this bug was already reported.
Feel free to continue this discussion on the bugzilla report if you want.
Thanks,
Paulo
--
Paulo Zanoni
10 years